Steam Code Execution – Privilege Escalation to SYSTEM (Part 2)

In my previous post I talked about a vulnerability in Steam which allows you to bypass UAC. I’m going to be totally transparent here: I fucked up. I wrote the draft post a few days back, then did some more work on the vulnerability. I discovered something much more serious in the process. I posted last night’s blog post at 1am, tired as hell, and in my sleep-deprived state I completely neglected to update it properly, and there are several mistakes and bits of missing information. The draft went out and confused a lot of people. So, for that, I apologise. I’m going to leave it there so people can see it, because it’ll remind me not to do that next time.

Now, onto the real impact of the vulnerability: I can leverage it to gain code execution as SYSTEM. How? Well, it turns out that Steam.exe gives itself one unusual privilege – the privilege to debug other processes. This is called SeDebugPrivilege and one of its features is that it allows the process to bypass access control lists (ACLs) on processes when you call OpenProcess, i.e. the process can open a handle to any process it likes, with any privilege it likes.

Here’s how you can elevate to SYSTEM when you have SeDebugPrivilege:

  1. Open a handle to a process that is running as SYSTEM, with PROCESS_ALL_ACCESS as the access flag.
  2. Use VirtualAllocEx to allocate a block of memory in the remote process, with the executable flag set.
  3. Use WriteProcessMemory to copy a block of shellcode into that memory buffer.
  4. Use CreateRemoteThread to create a new thread in the remote process, whose start address is the base address of the memory allocation.
  5. Bingo! You just got a privesc to SYSTEM.

In this case, once you’ve got code execution inside Steam, you can utilise this trick to escalate yourself to SYSTEM. There’s your privesc vuln.

Advertisements